G
Guest
I am trying to push firewall policies to a domain, and I'm trying to get the
Bypass Firewall with IPSEC connections to work so that a group of techies can
bypass the policies and administer machines with various tools. As a start, I
have configured the domain policies with something very close to the settings
recommended by Microsoft best practices. However, I cannot get the bypass
firewall setting to allow my adminstrator machine into the client. According
the docs, I must connect via IPSEC and configure the Bypass Setting with SDDL
syntax. I've used IPFILTERS to successfully make an IPSEC connection between
a Win2k server and a XP client(request security). I've seemingly verified
this with ipsecmon and packet sniffers. I've looked at the firewall log on
the client, and it is still dropping my TCP connections from my admin
station(to port 139 which is closed by the polices). I've tried putting my
admin computer accounts into a group, and applying the SDDL syntax on the SID
of that group, but I've also tried syntax to allow the user group "Domain
Admins" into the machine. Basically nothing I try works, and there are very
few examples on the internet or at Microsoft. More importantly, even with
turning on all auditing, I cannot find a way to figure out where the SDDL
syntax is probably failing. What tool can I use to see where the firewall
might be failing on SDDL syntax or perhaps another reason. The firewall logs
and event viewer do not give me enough info. Also, do I need to adjust any
machine policies to allow this feature...like DCOM...connect from
network...etc. to work. The MS XP firewall doc gives one simple example of
SDDL but does not seem complete. The actual SDDL how to is also not that
helpful.
Thanks,
Forrest
Bypass Firewall with IPSEC connections to work so that a group of techies can
bypass the policies and administer machines with various tools. As a start, I
have configured the domain policies with something very close to the settings
recommended by Microsoft best practices. However, I cannot get the bypass
firewall setting to allow my adminstrator machine into the client. According
the docs, I must connect via IPSEC and configure the Bypass Setting with SDDL
syntax. I've used IPFILTERS to successfully make an IPSEC connection between
a Win2k server and a XP client(request security). I've seemingly verified
this with ipsecmon and packet sniffers. I've looked at the firewall log on
the client, and it is still dropping my TCP connections from my admin
station(to port 139 which is closed by the polices). I've tried putting my
admin computer accounts into a group, and applying the SDDL syntax on the SID
of that group, but I've also tried syntax to allow the user group "Domain
Admins" into the machine. Basically nothing I try works, and there are very
few examples on the internet or at Microsoft. More importantly, even with
turning on all auditing, I cannot find a way to figure out where the SDDL
syntax is probably failing. What tool can I use to see where the firewall
might be failing on SDDL syntax or perhaps another reason. The firewall logs
and event viewer do not give me enough info. Also, do I need to adjust any
machine policies to allow this feature...like DCOM...connect from
network...etc. to work. The MS XP firewall doc gives one simple example of
SDDL but does not seem complete. The actual SDDL how to is also not that
helpful.
Thanks,
Forrest